October CMS CVE-2026-26274

| EUVD-2026-24155 MEDIUM
Incomplete List of Disallowed Inputs (CWE-184)
2026-04-21 GitHub_M GHSA-h6jm-f4hh-fw27
Information Disclosure
6.6
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:01 vuln.today

DescriptionNVD

October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safe_mode is enabled. Backend users with Developer permissions could use Twig template markup to execute insert, update, and delete operations on any database table through the query builder, which is included in the sandbox allow-list. This vulnerability is fixed in 3.7.14 and 4.1.10.

AnalysisAI

October CMS versions prior to 3.7.14 and 4.1.10 allow backend developers with Developer permissions to bypass Twig sandbox restrictions and execute unauthorized database write operations (insert, update, delete) via the query builder when cms.safe_mode is enabled. This privilege escalation vulnerability enables data manipulation on any database table despite sandbox security policies intended to restrict template functionality.

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-26274 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy